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Abstract 

In January 2004, two Mars Exploration Rover spacecraft arrived at Mars. Each safely delivered an 
identical rover to the Martian surface in a tetrahedral lander encased in airbags. Upon landing, the 
airbags deflated and three Lander Petal Actuators opened the three deployable Lander side petals 
enabling the rover to exit the Lander. Approximately nine weeks prior to the scheduled launch of the first 
spacecraft, one of these mission-critical Lander Petal Actuators exhibited a brake stuck-open failure 
during its final flight stow at Kennedy Space Center. Residual magnetism was the definitive conclusion 
from the failure investigation. Although residual magnetism was recognized as an issue in the design, the 
lack of an appropriately specified lower bound on brake drop-out voltage inhibited the discovery of this 
problem earlier in the program. In addition, the brakes had more unit-to-unit variation in drop-out voltage 
than expected, likely due to a larger than expected variation in the magnetic properties of the 15-5 PH 
stainless steel brake plates. Failure analysis and subsequent rework of two other Lander Petal Actuators 
with marginal brakes was completed in three weeks, causing no impact to the launch date. 

Introduction 

Two Mars Exploration Rover (MER) spacecraft were sent to Mars, each with a rover to explore the 
Martian surface with its suite of instruments. After entering the Martian atmosphere in an aeroshell, the 
rovers were delivered to the surface in a Lander covered in airbags. Once the landing system came to 
rest on the Martian surface and the airbags deflated, three Lander Petal Actuators (LPAs) opened the 
three deployable Lander side petals, enabling the rover to exit the Lander. Approximately nine weeks 
prior to the scheduled launch of the first spacecraft, one LPA exhibited a brake failure during its final flight 
stow at Kennedy Space Center. The failure analysis of this mission critical actuator and the subsequent 
rework of two other marginal flight LPAs were all done without causing the launch date to slip. 

The MER spacecraft, carrying the rovers called Spirit and Opportunity, were launched on June 10, 2003 
and July 7, 2003. These spacecraft successfully landed on Mars on January 3, 2004 and January 24, 
2004 respectively. All six LPAs operated without any problems. 

Figures 1 and 2 show the LPAs installed in the Lander in both the stowed and deployed configurations. 
The tetrahedral Lander shape with its three LPA-deployed side petals is inherited from the 1997 Mars 
Pathfinder (MPF) program [1], With this arrangement, the Lander can right itself from any side petal onto 
its base petal by opening that side petal until the Lander center of gravity tips the entire system onto the 
base petal. The LPA torque requirements for MER were much higher due primarily to the larger mass of 
the landed system, making a re-flight of the MPF LPA design impossible. The same MPF volume 
constraints for the LPA were applied to MER so the Lander would fit inside the aeroshell. Maintaining the 
same volume and nearly the same mass as MPF while producing three times the output torque was a 
significant challenge for the MER LPA. Each LPA had to develop sufficient torque to lift, overturn and right 
the Lander should it come to rest on a side petal rather than the base petal. Both the first MER lander and 
the MPF lander stopped on the base petal. However, the second MER lander came to rest on a side 
petal, causing that side petal LPA to right the lander. In addition, each LPA had to be able to over-deploy 
its petal to assist in leveling the Lander for a safe rover egress should it come to rest on uneven terrain. 
Thus, the actuator’s unpowered holding torque (or backdrive torque) had to exceed the reaction load from 
the weight of the Lander supported on a petal with that petal in the fully deployed position. Petal 
adjustments were made on each MER lander to aid the rover egress. During petal opening, LPA position 
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knowledge is provided by an incremental encoder signal constructed in the LPA electronics from the 
motor commutation sensor signals. The LPA electronics are brushless motor drive electronics, physically 
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Figure 1. Lander Petal Actuators open each MER Lander side petal to the iron cross position, 
where all petals are coplanar. Petal motion past this condition is called over-deployed. 
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Figure 2. The MER Lander with two side petals stowed and the third side petal closing 
under the action of its Lander Petal Actuator 
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Figure 3. MER Lander Petal Actuator with its electronics 



Figure 4. The LPA motor and brake are separately powered and commanded by the system 
electronics through the LPA electronics, a brushless motor drive electronics. 

separate from the LPA and connected by a cable (Figure 3). Potentiometers at each of the petal hinge 
lines provide additional coarse petal position information, an absolute reference for rover egress. 

Lander Petal Actuator 

The MER Lander Petal Actuator (Figure 3) is a high torque actuator (3300 N»m output torque) produced 
by Aeroflex Laboratories, Inc., which consists of a brushless DC motor, a power-off brake, 7 stages of 
planetary gearing with an overall ratio of 324,099:1, and a crowned spline on the output shaft. The LPA 
required a brake to meet its backdrive torque requirements with power removed because of the high 
efficiency of the planetary gearing. The brake is mechanically engaged when non-powered to lock the 
motor rotor and ensure that the Lander petals cannot move due to external loads. The LPA motor and 
LPA brake are separately powered and commanded by the system electronics through the LPA 
electronics (Figure 4). During operation, power is first applied to the LPA brake to release it, followed by 


223 


power to the LPA motor to initiate petal motion. At the conclusion of motion, power is first removed from 
the LPA motor and then the LPA brake to avoid clamping the brake rotor at high speed. All LPAs were 
tested over temperature at the actuator level to restrain 3300 N*m externally applied to the output shaft. 
The brake design is a standard spring-applied, power-to-release configuration as shown in the 
motor/brake assembly cross-section (Figure 5). The brake rotor is attached to the motor rotor. With the 
brake unpowered, 6 compression springs push the friction plate against the brake rotor, preventing motor 
rotation. When the brake is energized to release the motor, the friction plate is guided on 3 pins and 
pulled against the springs by the solenoid. The total stroke of the friction plate is 0.13 mm. There is a 
0.051 mm annular non-magnetic shim between the friction plate and the solenoid to break the magnetic 
flux path and prevent residual magnetism from permanently retaining the friction plate on the solenoid 
(the stuck-open position). 
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Figure 5. 
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Cross-section of the Lander Petal Actuator motor/brake assembly 
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Failure and Failure Investigation 

The LPA failure occurred about nine weeks before the scheduled launch of the first MER spacecraft. In 
preparation for closing the Lander for the last time, the spacecraft commanded the Lander petals through 
their range of motion using the LPAs so that cabling and other hardware near the hinge line could be 
observed for proper installation and clearance. Although the petals had been moved with the LPAs many 
times before, this was the first time that all the hardware including the flight airbags was installed during 
the motion. During a pause in the final flight stow sequence of the Lander petals using the LPAs, one 
petal drifted downward under gravity with the spacecraft unpowered. The weight of the assembled petal 
applied about 418 N*m of torque to the LPA output shaft or 13% of the tested backdrive resistance. A 
load of this magnitude clearly should not have caused the actuator to backdrive with the brake engaged. 
The failure was initially observed visually as an offset between the commanded position and the actual 
position. One petal seemed lower than it should be. A check of spacecraft telemetry from the hinge line 
potentiometers indicated that there was continued motion after completion of the commanded motion, on 
one petal only, although the current draw from the brake was as expected during the motion and went to 
zero upon completion of the motion. Once a problem was suspected, the continued motion was also 
visually observed. The anomaly was repeatable. In a separate check, the suspect petal moved when the 
LPA was commanded without energizing the brake, a further sign that the brake was not performing 
properly. 
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Even though all evidence pointed toward a problem with the LPA brake, a brake failure did not seem 
credible. Swift, decisive action was required to prevent a launch delay, however the closeness to launch 
made it even more critical to conclusively isolate the problem prior to removing the hardware from the 
spacecraft. Uncertainty in determining the cause of the problem would jeopardize the launch. The 
problem was conclusively isolated to the actuator using the following rationale. With the petal backdriving, 
the spacecraft was powered off and the connectors between the spacecraft, the LPA drive electronics, 
and the LPA were demated sequentially until the LPA was completely isolated from the rest of the 
system. The petal was still backdriving, which conclusively placed the failure in the actuator, eliminating 
the possibility that a stray current in the system or the drive electronics was keeping the brake powered 
and in the open position. The failed LPA (SN 007) was removed from the Lander and replaced by a flight 
spare and failure analysis began on the removed LPA. The failure investigation was conducted at 
Kennedy Space Center to eliminate the possibility that the failure would be lost during transportation of 
the LPA to either the Jet Propulsion Laboratory or Aeroflex Laboratories, Inc. 
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Figure 6. Fault tree for LPA brake failure with the actual failure highlighted in the dotted box 

The evidence at this point only indicated that the brake was not resisting motion. Many different failure 
possibilities were considered which fell into the following general categories: “Brake in Open Condition”; 
“Loss of Friction at Brake Interface"; or “Rotor Not Transmitting Torque to Brake Assembly” (Figure 6). 
Many of the failures could only be observed through disassembly of the brake and some of these had the 
additional unfortunate characteristic that disassembly could cause the loss of the failure. After visual 
examination of the LPA indicated nothing unusual, the motor was operated with no power to the brake. 
Motor current indicated no-load operation, which meant the failure was still intact. Real time X-ray 
examination revealed the brake in a fully disengaged position even though no power was applied to the 
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brake. This observation eliminated two of the three branches of the fault tree, leaving only the failures 
listed under “Brake in Open Condition”. No tilting of the friction plate was apparent and nothing unusual 
was observed in the brake assembly. The only failure remaining that could be determined without 
disassembly was “Residual Magnetic Field Holding Brake Open”. While still under X-ray examination, a 
reverse polarity voltage was slowly applied to the brake starting at 0 volts, a demagnetizing action for the 
friction plate. At negative 0.3 volts, the friction plate moved to the engaged position against the motor 
rotor indicating the failure was caused by residual magnetism holding the friction plate against the 
solenoid even though a non-magnetic washer was in the assembly to prevent this particular failure. The 
motor stalled when operated again with the brake unpowered proving that the demagnetized brake was 
now fully mechanically engaged. Residual magnetism was the source of the failure in this LPA! 

Assessment of Other LPAs 

A survey of the acceptance test data for all LPA brake assemblies was performed as a consequence of 
the SN 007 LPA brake failure. Particular attention was given to the pull-in and drop-out voltages for the 
brake assemblies since these measurements are an indication of the electromechanical performance of 
the units. With no voltage applied to the brake, the friction plate is pressed against the brake rotor by the 
compression springs. Pull-in voltage is measured by slowly raising the brake voltage from zero volts until 
the friction plate is pulled in to the solenoid, mechanically disengaging from the brake rotor and permitting 
the motor to turn when the motor is powered with its drive electronics. Figure 7 illustrates the force 
balance for pull-in. Increasing the voltage across the brake coil causes the current in the solenoid to 
increase. As the current increases, the magnitude of the magnetic field increases thereby increasing the 
magnetic force, F M , on the friction plate. The two forces that act in opposition to F M are F s , the total force 
from the 6 compression springs, and F f , the friction force between the 3 guide pins and the friction plate. 
When the magnetic force exceeds the sum of the spring and friction forces, or 

F m > F s + F j ( 1 ) 

the friction plate moves away from the brake rotor and toward the solenoid, mechanically disengaging the 
brake. Once motion starts, the brake plate moves quickly open since F M increases much faster than F s as 
the air gap decreases. F M is a squared function of air gap while F s is a linear function. 


Pull-in Voltage 
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Friction Plate moves when 
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Figure 7. Force balance for brake pull-in and drop-out voltages 


Drop-out voltage is then measured by slowly lowering the voltage until the friction plate releases from the 
solenoid, mechanically engaging the brake rotor again. Figure 7 illustrates the force balance for drop-out. 
Decreasing the voltage across the solenoid reduces its current and therefore the magnitude of the 
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magnetic field. As a result, F M decreases. When the total spring force is sufficient to overcome both the 
magnetic force and the friction force, or 


Fs > F m + Fj- (2) 

the friction plate moves away from the solenoid and reengages the brake rotor. Once motion begins, the 
friction plate moves quickly to the engaged position since F M decreases much faster than F s as the air 
gap increases. In the case of the failed brake, the condition in equation 2 was not met even though the 
solenoid voltage and therefore current was zero. F M was non-zero due to residual magnetism. 

The pull-in and drop-out motions of the brake are critical to the operation of the LPA and must be 
assessed for force margin like any other critical deployment. The desire was to have a force capability of 
at least twice the force needed to move the components over all conditions of environment and operating 
voltage. This equates to a minimum factor of safety (the ratio of force capability to force required) of 2.0. 
The flight brakes were measured to have a pull-in voltage <17 VDC, demonstrating operating margin 
from the minimum flight input voltage of 24 VDC. The magnetic force is 20 N at 17 VDC and 37.6 N at 24 
VDC compared to a maximum total spring force of 10.45 N and an analytically determined maximum 
friction force of 0.013 N, surpassing the minimum desired force factor of safety for the pull-in deployment 
by a large amount. Drop-out voltage was measured to be <10 VDC, ensuring adequate separation 
between the pull-in and drop-out behavior. However no lower threshold on drop-out voltage was defined 
to ensure operating margin above zero input voltage. The lack of an appropriately specified lower bound 
for this parameter was an oversight that hindered the discovery of brakes with insufficient force margin for 
drop-out during acceptance testing. The minimum required force factor of safety for the drop-out 
deployment was not proven during acceptance testing. Since the failed LPA clearly did not have sufficient 
margin for drop-out, the other flight LPAs, which were already installed on the flight Landers, were 
evaluated. The pull-in and drop-out voltages of all LPA brakes were recorded during acceptance testing 
and measured again after the failure (Table 1). Although the failed unit had the lowest measured value of 
drop-out voltage, SN 003 and 008 also had very low values for drop-out voltage, raising suspicions that 
these two actuators might also have insufficient margin for drop-out. A proper specification of drop-out 
voltage defining sufficient force margin was needed to properly evaluate the flight LPAs and determine if 
rework was required. LPAs were switched between the two landers, placing the three flight LPAs with the 
highest values of drop-out voltage on the first lander being prepared for launch. This allowed preparations 
to continue on the most time-critical lander while the LPA assessment continued, maximizing the chance 
that the failure could be addressed without impacting either launch. 

Table 1. LPA Pull-In and Drop-Out Voltage Measurements 


SN 

Acceptance Test Values 
(VDC) 

As Remeasured 
(VDC) 

Type of Unit 

(a) Failed Unit 

Pull-In 

Drop-Out 

Pull-In 

Drop-Out 


001 

14.1 

2.2 

12.3 

2.22 

Qualification 

002 

Not avail. 

Not avail. 

12.9 

3.25 

Flight 

003 

14.3 

1.9 

13.6 

0.79 

Flight 

004 

12.0 

5.0 

15.9 

3.79 

Flight 

005 

15.5 

1.0 

Not meas. 

Not meas. 

Testbed 

006 

14.07 

2.6 

14.1 

2.40 

Flight 

007 ,a ' 

12.7 

0.6 

12.8 

-0.3, 0.29 

Flight 

008 

13.7 

1.1 

11.7 

1.25 

Flight 

009 

12.8 

1.72 

12.2 

1.02 

Testbed 

010 

15.1 

0.85 

Not meas. 

Not meas. 

Testbed 

011 

13.8 

2.3 

13.7 

2.54 

Flight Spare 


There is no way to take a direct measurement of force in the brake assembly on the fully assembled LPA, 
therefore there is no way to directly verify the force margin for drop-out on each LPA. Since drop-out 
voltage is the only easily acquired measurement on the fully assembled LPA, what was needed was a 
relationship between drop-out voltage and force so that a minimum force factor of safety of 2.0 could be 
guaranteed. A series of tests was performed on a spare brake assembly to determine how drop-out 
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voltage varied with spring force. The nominal spring force was calculated from the spring constant and 
the geometry of the brake assembly. Starting with the friction plate pulled in against the solenoid, the 
voltage to the brake was lowered until the plate moved under the force of the springs. Reducing the 
number of springs in the brake assembly decreased the spring force pushing on the friction plate until the 
brake plate no longer dropped out at zero voltage (Table 2). At this condition, the residual magnetic force 
is greater than the spring force attempting to push the brake plate off the solenoid. An additional test was 
performed with no springs in the brake assembly. The voltage to the brake was reduced to zero and a 
measurement of the force required to separate the friction plate from the solenoid was recorded (Table 
3). The same measurements were taken after adding a second non-magnetic 0.051 mm shim between 
the solenoid and the friction plate (Tables 2 and 3). Adding the second shim raised the drop-out voltage 
significantly (Figure 8) without changing the pull-in voltage substantially. These tests enabled a method to 
determine the force margin and illustrated a rework path that could increase that margin. 

Table 2. Drop-out voltage vs. spring force as measured on a spare brake 


# of Springs 

0.051-mm shim 

2x 0.051-mm shim | 

Nominal 
Force (N) 

Voltage (V) 

Nominal Force 
(N) 

Voltage (V) 

6 

9.012 

1.27 

8.910 

3.60 

5 

7.508 

0.92 

7.428 

3.21 

4 

6.005 

0.22 

5.943 

2.12 

3 

4.506 

No release 1 ^ 

4.457 

1.51 

2 



2.971 

0.35 

1 



1.486 

No release 


(b) No release at zero volts, released with -0.3 volts (reverse polarity voltage of 0.3 volts) 


Table 3. Force required to separate the friction plate from the solenoid at zero volts 

as measured on a spare brake 


# of Springs 

0.051-mm shim 

2x 0.051-mm shim j 

Nominal Force 
(N) 

Voltage (V) 

Nominal Force 
(N) 

Voltage (V) 

0 

4.706 

0 

2.224 

0 


The required margin point for each shim condition was determined using the spring force test data and a 
tolerance analysis of spring force. A quadratic equation was fit to the test data in Figure 8 since force in 
the solenoid is a quadratic function of current and therefore voltage. Regression results in equations of 
the form: 

F = uV + bV + c (3) 

with a , b , and c all constants. Setting c equal to the minimum possible spring force of three springs 
minus the maximum possible friction force from the alignment pins shifted the curves. This ensures that 
when six springs are present, there is a minimum factor of safety of 2.0 on the force required to create 
drop-out at the zero voltage condition. The two shifted regression curves are plotted in Figure 9, one 
curve for a single, non-magnetic 0.051 -mm shim and one for a double, non-magnetic shim or a 0.102 mm 
total shim thickness. The final margin point for each shim thickness was calculated from the regression 
curves as the drop-out voltage values corresponding to the maximum possible force from 6 springs plus 
an additional two times the friction force. An additional 0.1 VDC was added to account for measurement 
scatter resulting in required minimum drop-out voltage values of 2.05 VDC for the 0.051 -mm shim 
thickness and 3.81 VDC for the 0.102-mm shim thickness. It should be noted that the drop-out voltage of 
0.6 measured during acceptance testing of the failed LPA works out to a force factor of safety of 0.97. 
This was a unit that clearly should have failed. 
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Figure 8. Test data from a spare brake assembly characterizes the variation of drop-out voltage 
with spring force for two different shim thicknesses. 
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Figure 9. Regression curves from test data are appropriately shifted and used to determine the 
drop-out voltage required for a minimum 2.0 factor of safety. 
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